This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

checking ldap user and radius attribute on NAC Authentication

checking ldap user and radius attribute on NAC Authentication

Go to solution
PeterK
Contributor III

‎01-11-2021 02:34 PM

Hi,

I’m currently on a migration process from Microsoft NPS to Extreme Control.

We have a Cisco ASA as VPN-Gateway.

I will authenticate VPN-Users and Mgmt-Logins.

In the past we separate this with different “called-station-id” values.

Can I realize this with NAC? AFAIK I can’t check/match LDAP-Criteria (LDAP-User-Group) and Radius-Attribute (Radius-User-Group) at the same time.

Or Is there a way to realize this?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Tomasz
Valued Contributor II

‎01-12-2021 02:47 PM

Hi Mig, Peter,

 

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

 

Hope that helps,

Tomasz

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
Tomasz
Valued Contributor II

‎01-12-2021 08:58 PM

Hi Peter,

 

This idea came to my mind as in the past there were some issues with LDAP Configuration having both user and computer lookup settings and for computer authentication a separate LDAP Configuration had to be made, with computer-specific attributes and object type in user lookup fields. I don’t remember why it was so, but if it worked, the opposite should also work. Labels are just labels. 😉

 

Cheers,

Tomasz

0 Kudos

Go to solution
PeterK
Contributor III

‎01-12-2021 07:56 PM

Hi Tomasz,

thanks for that idea.

That would be a very dirty workaround, but it should work.

I will test this. I’m excited how that will look in End-System View.

0 Kudos

Go to solution
Tomasz
Valued Contributor II

‎01-12-2021 02:47 PM

Hi Mig, Peter,

 

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

 

Hope that helps,

Tomasz

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎01-11-2021 03:35 PM

Hi Peter,

I don’t think you can match both at the same time because they are both “User-Group” type.

Can you set an empty called-station-id instead of LAN-IP?

If so, Control will treat this as management access

Mig

0 Kudos
GTM-P2G8KFN